1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-11 09:18:08 +00:00
kube-bench/cfg/eks-stig-kubernetes-v1r6/node.yaml
Chris Renzo a34047c105
Adding eks-stig-kubernetes-v1r6 (#1266)
* Adding eks-stig-kubernetes-v1r6

* Fixing lint errors

* Reformatting texts

* Removing pinned docker tag

* Updating Expected Stig Output

Co-authored-by: EC2 Default User <ec2-user@ip-10-0-44-222.ec2.internal>
2022-09-14 17:40:48 +03:00

288 lines
12 KiB
YAML

---
controls:
version: "eks-stig-kubernetes-v1r6"
id: 3
text: "Worker Node Security Configuration"
type: "node"
groups:
- id: 3.1
text: "DISA Category Code I"
checks:
- id: V-242387 # CIS 3.2.4
text: "The Kubernetes Kubelet must have the read-only port flag disabled (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: "--read-only-port"
path: '{.readOnlyPort}'
set: true
compare:
op: eq
value: 0
remediation: |
If using a Kubelet config file, edit $kubeletconf to set readOnlyPort to 0.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: V-242391 # CIS 3.2.1
text: "The Kubernetes Kubelet must have anonymous authentication disabled (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: "--anonymous-auth"
path: '{.authentication.anonymous.enabled}'
set: true
compare:
op: eq
value: false
remediation: |
If using a Kubelet config file, edit $kubeletconf to set authentication: anonymous: enabled to
false.
If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: V-242392 # CIS 3.2.2
text: "The Kubernetes kubelet must enable explicit authorization (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --authorization-mode
path: '{.authorization.mode}'
set: true
compare:
op: nothave
value: AlwaysAllow
remediation: |
If using a Kubelet config file, edit $kubeletconf to set authorization: mode to Webhook. If
using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--authorization-mode=Webhook
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: V-242397
text: "The Kubernetes kubelet static PodPath must not enable static pods (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- path: '{.staticPodPath}'
set: false
remediation: |
Edit $kubeletconf on each node to to remove the staticPodPath
Based on your system, restart the kubelet service. For example,
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: V-242415
text: "Secrets in Kubernetes must not be stored as environment variables.(Manual)"
type: "manual"
remediation: |
Run the following command:
kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A
If any of the values returned reference environment variables
rewrite application code to read secrets from mounted secret files, rather than
from environment variables.
scored: false
- id: V-242434 # CIS 3.2.6
text: "Kubernetes Kubelet must enable kernel protection (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --protect-kernel-defaults
path: '{.protectKernelDefaults}'
set: true
compare:
op: eq
value: true
remediation: |
If using a Kubelet config file, edit $kubeletconf to set protectKernelDefaults: true.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--protect-kernel-defaults=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: V-242435
text: "Kubernetes must prevent non-privileged users from executing privileged functions (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --authorization-mode
path: '{.authorization.mode}'
set: true
compare:
op: nothave
value: AlwaysAllow
remediation: |
If using a Kubelet config file, edit $kubeletconf to set authorization: mode to Webhook. If
using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--authorization-mode=Webhook
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: V-242393
text: "Kubernetes Worker Nodes must not have sshd service running. (Automated)"
audit: '/bin/sh -c ''systemctl show -p ActiveState sshd'' '
tests:
test_items:
- flag: ActiveState
compare:
op: eq
value: inactive
remediation: |
To stop the sshd service, run the command: systemctl stop sshd
scored: true
- id: V-242394
text: "Kubernetes Worker Nodes must not have the sshd service enabled. (Automated)"
audit: "/bin/sh -c 'systemctl is-enabled sshd.service'"
tests:
test_items:
- flag: "disabled"
remediation: |
To disable the sshd service, run the command:
chkconfig sshd off
scored: true
- id: V-242395
text: "Kubernetes dashboard must not be enabled. (Manual)"
type: "manual"
remediation: |
Run the command: kubectl get pods --all-namespaces -l k8s-app=kubernetes-dashboard
If any resources are returned, this is a finding.
Fix Text: Delete the Kubernetes dashboard deployment with the following command:
kubectl delete deployment kubernetes-dashboard --namespace=kube-system
scored: false
- id: V-242398
text: "Kubernetes DynamicAuditing must not be enabled. (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
bin_op: or
test_items:
- flag: "--feature-gates"
compare:
op: nothave
value: "DynamicAuditing=true"
set: true
- flag: "--feature-gates"
set: false
remediation: |
Edit any manifest files or kubelet config files that contain the feature-gates
setting with DynamicAuditing set to "true".
Set the flag to "false" or remove the "DynamicAuditing" setting
completely. Restart the kubelet service if the kubelet config file
if the kubelet config file is changed.
scored: true
- id: V-242399
text: "Kubernetes DynamicKubeletConfig must not be enabled. (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
bin_op: or
test_items:
- flag: "--feature-gates"
compare:
op: nothave
value: "DynamicKubeletConfig=true"
set: true
- flag: "--feature-gates"
set: false
remediation: |
Edit any manifest files or $kubeletconf that contain the feature-gates
setting with DynamicKubeletConfig set to "true".
Set the flag to "false" or remove the "DynamicKubeletConfig" setting
completely. Restart the kubelet service if the kubelet config file
if the kubelet config file is changed.
scored: true
- id: V-242404 # CIS 3.2.8
text: "Kubernetes Kubelet must deny hostname override (Automated)"
# This is one of those properties that can only be set as a command line argument.
# To check if the property is set as expected, we need to parse the kubelet command
# instead reading the Kubelet Configuration file.
audit: "/bin/ps -fC $kubeletbin "
tests:
test_items:
- flag: --hostname-override
set: false
remediation: |
Edit the kubelet service file $kubeletbin
on each worker node and remove the --hostname-override argument from the
KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: V-242406
text: "The Kubernetes kubelet configuration file must be owned by root (Automated)"
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' '
tests:
test_items:
- flag: root:root
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example,
chown root:root $kubeletkubeconfig
scored: true
- id: V-242407
text: "The Kubernetes kubelet configuration files must have file permissions set to 644 or more restrictive (Automated)"
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the following command (using the config file location identified in the Audit step)
chmod 644 $kubeletconf
scored: true
- id: V-242414
text: "The Kubernetes cluster must use non-privileged host ports for user pods. (Manual)"
type: "manual"
remediation: |
For any of the pods that are using ports below 1024,
reconfigure the pod to use a service to map a host non-privileged
port to the pod port or reconfigure the image to use non-privileged ports.
scored: false
- id: V-242442
text: "Kubernetes must remove old components after updated versions have been installed. (Manual)"
type: "manual"
remediation: |
To view all pods and the images used to create the pods, from the Master node, run the following command:
kubectl get pods --all-namespaces -o jsonpath="{..image}" | \
tr -s '[[:space:]]' '\n' | \
sort | \
uniq -c
Review the images used for pods running within Kubernetes.
Remove any old pods that are using older images.
scored: false
- id: V-242396
text: "Kubernetes Kubectl cp command must give expected access and results. (Manual)"
type: "manual"
remediation: |
If any Worker nodes are not using kubectl version 1.12.9 or newer, this is a finding.
Upgrade the Master and Worker nodes to the latest version of kubectl.
scored: false